Richard Dreger / InformationWeek
To provide segmentation, you need the physical hardware team, and maybe the systems team, to configure the SAN disk arrays to balance performance, storage, and access requirements. Sure, you could physically carve up the disks and give different slices to each customer to provide a physical boundary, but this concept is anathema to performance-minded shops and the private cloud model.
By Ellen Nakashima / Washington Post
It’s easy to feel overwhelmed by the increasingly bad news in cyberspace, but there are a few bright spots. Government and commercial techies are finding some success in trying to protect computer users — often from their own careless behavior.
Eric Chabrow / BankInfoSecurity
The National Institute of Standards and Technology said the draft publication defines high-priority requirements for standards, official guidance and technology developments that need to be met in order for agencies to accelerate their migration of existing IT systems to the cloud computing model. “A key contribution of the roadmap effort is to focus the discussion to achieve a clear understanding between the government and private sector, particularly on the specific technical steps – standards, guidance and technology solutions – needed to move federal IT from its current early-cloud state to a cloud-based foundation, as envisioned in the Federal Cloud Computing Strategy.
ExecutiveGov / Katelyn Noland
The alternate Internet would be built with the intention of securing critical systems where there would be strict access rules and those who are allowed entry must report any suspicious behavior.
GCN / Henry Kenyon
A research team from Google, George Mason University and the National Security Agency have developed a hardened kernel for the Android 3.0 operating system that could solve the problem of using smart phones in military operations and emergency response.
The kernel, which is in the final stages of certification testing, opens the way for the Army to begin issuing smart phones or tablet-type wireless devices to troops in combat operations.
Ericka Chickowski / Dark Reading
While database security activities in and of themselves might not necessarily be enormous tasks to tackle individually, it is scale that trips up organization. It can take a long time to implement a carefully planned security program blanketed across hundreds or even thousands of databases. In the meantime, organizations can’t afford to leave critical data flapping in the wind. By segmenting the network and compartmentalizing data by criticality, you can effectively perform a database security triage to put other compensating controls around the most important data.
John Cox / CSO
In a Wi-Fi network, the Denial of Service attacks are usually generated by so called ‘backoff misbehavior,’” she says. Based on the Wi-Fi protocols, client radios “listen” to see if the radio channel is being used. If it is, it “backs off” and waits for a set period, and then listens again. If the channel is clear, it can claim it, and send or receive data.
But an attacker can manipulate this process, changing the rules, Wang says. “[W]hen attacks change the rules of backoff time, it is similar to crashing a queue and occupying it forever,” she says. “Of course, [the] other users do not know what happened and would assume the entire network is down.”
By shortening its own backoff time, the attacker “can increase the chances of connecting to the access point dramatically, resulting in a much higher probability of access success.”
Software Protection Initiative / Department of Defense
Lightweight Portable Security (LPS) creates a secure end node from trusted media on almost any Intel-based computer (PC or Mac). LPS boots a thin Linux operating system from a CD or USB flash stick without mounting a local hard drive. Administrator privileges are not required; nothing is installed.
The idea behind it is that workers can use a CDROM or USB stick to boot into a tamper proof, pristine desktop when using insecure computers such as those available in hotels or a worker’s own home. The environment that it offers should be largely resistant to Internet-borne security threats such as viruses and spyware, particularly when launched from read-only media such as a CDROM. The LPS system does not mount the hard drive of the host machine, so no trace of work activity can be written to the local computer.
Corey Harrell / Journey into Incident Response
Google queries show the information currently in Google’s index and cache while Google alerts send email notifications when Google is returning new information. The combination of queries and alerts can be leverage by organizations to identify security issues such as data leakage, website vulnerabilities, and stolen information.
The majority of the data breaches referenced had two things in common. The first commonality was sensitive company information was exposed to the Internet. The second commonality was the companies were notified about the data leakage after a third party located the information through Google searches.
@CERIAS by Gene Spafford
Everyone in IT and beyond should understand — fundamentally — that this is a new form of competition, of warfare (if we are to use that term). It is competition of the mind. It is information warfare in a much more fundamental sense than using information in support of kinetic weapons. It is employing information resources in a vast strategic way, across industries and generations to shape the future of nations.
Just two weeks ago, we all saw the end of an era when DHS annouced that the color coded threat system will be phased out and replaced with new system known as National Terrorism Advisory System.
Today, Norton released Cybercrime Index, which quantifies the state of cybercrime and converts danger level into a simple number. Is it beginning of a new era?
At the top level, the CyberCrime Index takes this data and creates a number evaluating the relative risk of the threats of the day. However, it also provides a more in-depth look at active threats, threat trends, and provides advice on what kinds of behaviors are being most heavily targeted that day.
NIST has published a Draft Special Publications (SP) “Guidelines on Security and Privacy in Public Cloud Computing”. NIST will accept comments on the draft until February 28, 2011.
NIST SP 800-144 provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment.
In his recent “Building Security In” article Gunnar Peterson talks about the driving forces and challenges of moving critical systems to the cloud.
The main trends that will drive security architecture are visibility and verification, which we can pithily sum up as “Don’t trust. And verify.”
Enterprises are often told, even by security luminaries, that they must trust the cloud, but that’s bunk. Sure, they must rely on some access control and other security services that are beyond their control. However, this can be partly mitigated by visibility services offered by gateways (chokepoints) and monitoring (audit event logging). In other words, a nickel’s worth of visibility trumps a dollar of access control.
…………
Many enterprise systems have two security modes: untrusted and fully trusted. Cloud security requires a partial-trust model.
Last week ComputerWorld reported that Intel was developing a technology (most probably, a Chip) that will stop ALL zero-day attacks. Wow…that’s like, finding solution for global recession, religious conflicts, or terrorism problems. I am not being sarcastic; I intentioanlly took these examples because they fall into the same bucket as zero-day threats – i.e., we can’t predict when these events will occur and how deep the impact will be.
I respect Mr. Rattner, who was named one of top 200 individuals having the greatest impact on the U.S. computer industry back in 90s, and I am sure he is up to something big but if what he said comes true it’ll be HUGE!
We’re going to see a quantum jump in the ability of future devices, be them PCs or phones or tablets or smart TVs, to defend themselves against attacks.
….the technology won’t be signature-based, like so much security is today. Signature-based malware detection is based on searching for known patterns within malicious code. The problem, though, is that zero-day, or brand-new, malware attacks are often successful because they have no known signatures to guard against.
We’ve found a new approach that stops the most virulent attacks. It will stop zero-day scenarios. Even if we’ve never seen it, we can stop it dead in its tracks.
Still, I’d have preferred the article heading more like how Paul Ducklin put it, <quote> It’s a pity that Intel’s work has been touted in such hyperbolic fashion. Headlines like “Intel to add new low-level layer of computer security” would, surely, have been much more meaningful. <unquote>
We all know our priorities for 2011 – protect Cloud, Social Networks, Mobile Devices, Critical Infrastructure. But this not uncommon…any device or environment that get more power or which we get dependent upon goes up in the hackers’ list and the fight starts. Before we start with 2011 list, we still have some carryover items from 2010 (Wikileaks, stuxnet, etc.) that we need to close ASAP. To make it easy for security professionals, Mathew has put together an enumerated list of top 10 security predictions for 2011 -
- Smaller Botnets Muscle Up
- DDoS Attacks Deny More With Less
- Smartphones Trigger Data Breaches
- Hacking Gets Industrialized — More Effective, Less Expensive
- Social Networks Feel More Pain
- Crimeware As A Service
- Specialized Malware Moves Past PCs And Servers
- Insider Attacks Still Unstoppable
- Government Security Gets A “Fraud Department”
- Cyber War Vs. Online Protests, Censorship, Political Attacks
Is it too early (/or late) to talk about privacy and security risks and issues emerging from emerging technologies?
With a cell phone hologram, a user would be able to walk next to a hologram of a friend, or a worker could project an enlarged 3D image of a product needing repair to walk inside it and detect problems, Bloom said. “The repair person could go inside the device instead of looking it up in a manual,”
Back in September 2010, NIST issued its first Guidelines for Smart Grid Cyber Security, but according to GAO report, NIST did not address the risk of attacks that use both cyber and physical means. To provide the missing pieces, GAO published a study on Electricity Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed.
With respect to challenges to securing smart grid systems, GAO identified the following six key challenges:
* Aspects of the regulatory environment may make it difficult to ensure smart grid systems’ cybersecurity.
* Utilities are focusing on regulatory compliance instead of comprehensive security.
* The electric industry does not have an effective mechanism for sharing information on cybersecurity.
* Consumers are not adequately informed about the benefits, costs, and risks associated with smart grid systems.
* There is a lack of security features being built into certain smart grid systems.
* The electricity industry does not have metrics for evaluating cybersecurity.
Today Bruce Schneier blogged about the same threat that I discussed earlier this week.
It’s hard to know how real this threat is. Certainly micro-traders pay attention to latency, and sometimes even place their computers physically close to exchanges so they can reduce latency. And while it would be illegal to deliberately manipulate someone else’s trades, it is probably okay to place a gazillion trades at the same time which — as a side effect — increases latency for everyone else. My guess is that this isn’t a movie-plot threat, and that traders are trying lots of things along this line to give them a small advantage over everyone else.
It seems to be one of the most talked about topic…Wired.com ran a story on Robo-clients that aren’t there just to crunch numbers but making the decisions to buy or sell a stock, which in turn increasing the speed per transaction.
many prop-trading algorithms look at the market as a vast weather system, with trends and movements that can be predicted and capitalized upon. These patterns may not be visible to humans, but computers, with their ability to analyze massive amounts of data at lightning speed, can sense them.
Wissner-Gross and Freer of MIT recently published a paper (pdf) titled “Relativistic statistical arbitrage” to calculate a representative map of locations from which to coordinate relativistic statistical arbitrage among the world’s major securities exchanges.
Will making the systems faster increase the likelihood of latency threats?
The protection of backbone infrastructure is no different from protection of financial and health infrastucture (aka Critical Infrastucture). Zhou makes a good point about regulating and establishing minimum security/safety standards. Why is it unregulated when other critical service institutions are???
Zhou has used SWITCH, the Swiss national network for research and education, as the focus of a case study and simulation of how such physical damage might impact on networks and the internet as a whole in the future.
Her results offer three main recommendations for protecting critical network infrastructure that should be considered at the national level:
- First Common connection points, where several cables or network hubs meet, should be regarded as key protected infrastructure.
- Secondly, backbone and service providers should be persuaded and supported in protecting their network backbone and to diversify the physical routing of fibre optic cables.
- Thirdly, national governments need to cooperate with service providers and define a series of basic safety standards for what is currently an entirely unregulated sector of information and communication technologies.
A country level security strategy document with some interesting statistics
Three of our closest security and intelligence partners, the United States, the United Kingdom and Australia, recently released their own plans to secure cyberspace. Many of the guiding principles and operational priorities set out in those reports resemble our own. This complementarity reflects our shared experiences in dealing with cyber security, and demonstrates our determination to enhance our collective security by leveraging each ally’s domestic cyber regimes.
